Dear Community,
We have a subscription for the commercial Spamhaus data query service, which provides a set of sophisticated DNS based blacklists - not only based on the sender IP address; sender domain, helo domain etc can and content be checked as well.
For this purpose Postfix MTA needs to be configured in a fine granular way:
main.cf:
reject_rhsbl_sender <spamhaus_app_key>.dbl.dq.spamhaus.net=127.0.1.[2..99],
reject_rhsbl_helo <spamhaus_app_key>.dbl.dq.spamhaus.net=127.0.1.[2..99],
reject_rhsbl_reverse_client <spamhaus_app_key>.dbl.dq.spamhaus.net=127.0.1.[2..99],
reject_rhsbl_sender <spamhaus_app_key>.zrd.dq.spamhaus.net=127.0.2.[2..24],
reject_rhsbl_helo <spamhaus_app_key>.zrd.dq.spamhaus.net=127.0.2.[2..24],
reject_rhsbl_reverse_client <spamhaus_app_key>.zrd.dq.spamhaus.net=127.0.2.[2..24],
reject_rbl_client <spamhaus_app_key>.zen.dq.spamhaus.net=127.0.0.[2..255]
Currently I can only use the ZEN blacklist, which can be added using the PMG GUI (Mail Proxy).
Additionally I do not want to expose my secret app key to the blocked spam sender, because it will be added to the SMTP error message created by postfix.
For this purpose I want to create a rewrite map for the DNSBL reply generated by Postfix and add the following configuration to main.cf as well:
Content of
rbl_reply_maps = hash:/etc/postfix/dnsbl-reply-map:
<spamhaus_app_key>.sbl.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using sbl.spamhaus.org${rbl_reason?; $rbl_reason}
<spamhaus_app_key>.xbl.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using xbl.spamhaus.org${rbl_reason?; $rbl_reason}
<spamhaus_app_key>.pbl.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using pbl.spamhaus.org${rbl_reason?; $rbl_reason}
<spamhaus_app_key>.sbl-xbl.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using sbl-xbl.spamhaus.org${rbl_reason?; $rbl_reason}
<spamhaus_app_key>.zen.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using zen.spamhaus.org${rbl_reason?; $rbl_reason}
<spamhaus_app_key>.dbl.dq.spamhaus.net=127.0.1.[2..99] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using dbl.spamhaus.org${rbl_reason?; $rbl_reason}
<spamhaus_app_key>.zrd.dq.spamhaus.net=127.0.2.[2..24] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using zrd.spamhaus.org${rbl_reason?; $rbl_reason}
How can I implement those anti spam rules without getting them overwritten by PMG?
How can I apply these configurations without getting them overwritten by PMG during the next config update?
Thanks,
Claus
We have a subscription for the commercial Spamhaus data query service, which provides a set of sophisticated DNS based blacklists - not only based on the sender IP address; sender domain, helo domain etc can and content be checked as well.
For this purpose Postfix MTA needs to be configured in a fine granular way:
main.cf:
reject_rhsbl_sender <spamhaus_app_key>.dbl.dq.spamhaus.net=127.0.1.[2..99],
reject_rhsbl_helo <spamhaus_app_key>.dbl.dq.spamhaus.net=127.0.1.[2..99],
reject_rhsbl_reverse_client <spamhaus_app_key>.dbl.dq.spamhaus.net=127.0.1.[2..99],
reject_rhsbl_sender <spamhaus_app_key>.zrd.dq.spamhaus.net=127.0.2.[2..24],
reject_rhsbl_helo <spamhaus_app_key>.zrd.dq.spamhaus.net=127.0.2.[2..24],
reject_rhsbl_reverse_client <spamhaus_app_key>.zrd.dq.spamhaus.net=127.0.2.[2..24],
reject_rbl_client <spamhaus_app_key>.zen.dq.spamhaus.net=127.0.0.[2..255]
Currently I can only use the ZEN blacklist, which can be added using the PMG GUI (Mail Proxy).
Additionally I do not want to expose my secret app key to the blocked spam sender, because it will be added to the SMTP error message created by postfix.
For this purpose I want to create a rewrite map for the DNSBL reply generated by Postfix and add the following configuration to main.cf as well:
Content of
rbl_reply_maps = hash:/etc/postfix/dnsbl-reply-map:
<spamhaus_app_key>.sbl.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using sbl.spamhaus.org${rbl_reason?; $rbl_reason}
<spamhaus_app_key>.xbl.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using xbl.spamhaus.org${rbl_reason?; $rbl_reason}
<spamhaus_app_key>.pbl.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using pbl.spamhaus.org${rbl_reason?; $rbl_reason}
<spamhaus_app_key>.sbl-xbl.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using sbl-xbl.spamhaus.org${rbl_reason?; $rbl_reason}
<spamhaus_app_key>.zen.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using zen.spamhaus.org${rbl_reason?; $rbl_reason}
<spamhaus_app_key>.dbl.dq.spamhaus.net=127.0.1.[2..99] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using dbl.spamhaus.org${rbl_reason?; $rbl_reason}
<spamhaus_app_key>.zrd.dq.spamhaus.net=127.0.2.[2..24] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using zrd.spamhaus.org${rbl_reason?; $rbl_reason}
How can I implement those anti spam rules without getting them overwritten by PMG?
How can I apply these configurations without getting them overwritten by PMG during the next config update?
Thanks,
Claus